ssl_faq.html.en

apache的软件linux版本

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.0</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.0</a> &gt; <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English">&nbsp;en&nbsp;</a></p>
</div>

<blockquote>
<p>The wise man doesn't give the right answers,
he poses the right questions.</p>
<p class="cite">-- <cite>Claude Levi-Strauss</cite></p>

</blockquote>
<p>This chapter is a collection of frequently asked questions (FAQ) and
corresponding answers following the popular USENET tradition. Most of these
questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
to avoid answering the same questions over and over.</p>

<p>Please read this chapter at least once when installing mod_ssl or at least
search for your problem here before submitting a problem report to the
author.</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="about" id="about">About The Module</a></h2>
<ul>
<li><a href="#history">What is the history of mod_ssl?</a></li>
<li><a href="#y2k">mod_ssl and Year 2000?</a></li>
<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li>
</ul>

<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3>
<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
    Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
    Laurie's development cycle it then was re-assembled from scratch for
    Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
    1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
    first publicly released version was mod_ssl 2.0.0 from August 10th,
    1998. </p>
    
    <p>After US export restrictions on cryptographic software were
    loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP
    Server with the release of Apache httpd 2.</p>


<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3>
<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on
    Export Controls for Conventional Arms and Dual-Use Goods and
    Technologies</dfn> is: This is a international regime, established in 1995, to
    control trade in conventional arms and dual-use goods and technology. It
    replaced the previous <dfn>CoCom</dfn> regime. Further details on 
    both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>

    <p>In short, the aim of the Wassenaar Arrangement is to prevent the build up
    of military capabilities that threaten regional and international security
    and stability. The Wassenaar Arrangement controls the export of
    cryptography as a dual-use good, that is, something that has both military and
    civilian applications. However, the Wassenaar Arrangement also provides an
    exemption from export controls for mass-market software and free software.</p>
    
    <p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And
    Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says
    <q>The Lists do not control "software" which is either: 1. [...] 2. "in
    the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN
    THESE LISTS</q> we find <q>In the public
    domain</q> defined as <q>"technology" or "software" which has been made
    available without restrictions upon its further dissemination. Note:
    Copyright restrictions do not remove "technology" or "software" from being
    "in the public domain".</q></p>
    
    <p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes
    of the Wassenaar Arrangement and its <q>List of Dual Use Goods and
    Technologies And Munitions List</q>, and thus not affected by its provisions.</p>


</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="installation" id="installation">Installation</a></h2>
<ul>
<li><a href="#mutex">Why do I get permission errors related to 
SSLMutex when I start Apache?</a></li>
<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to 
generate temporary 512 bit RSA private key", when I start Apache?</a></li>
</ul>

<h3><a name="mutex" id="mutex">Why do I get permission errors related to 
	SSLMutex when I start Apache?</a></h3>
    <p>Errors such as ``<code>mod_ssl: Child could not open
    SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
    [...] System: Permission denied (errno: 13)</code>'' are usually
    caused by overly restrictive permissions on the <em>parent</em> directories.
    Make sure that all parent directories (here <code>/opt</code>,
    <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
    set for, at minimum, the UID under which Apache's children are running (see
    the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p>


<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error
	"Failed to generate temporary 512 bit RSA private key", when I start 
	Apache?</a></h3>
    <p>Cryptographic software needs a source of unpredictable data
    to work correctly. Many open source operating systems provide
    a "randomness device" that serves this purpose (usually named
    <code>/dev/random</code>). On other systems, applications have to
    seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
    appropriate data before generating keys or performing public key
    encryption. As of version 0.9.5, the OpenSSL functions that need
    randomness report an error if the PRNG has not been seeded with
    at least 128 bits of randomness.</p>
    <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide 
    enough entropy to the PRNG to allow it to work correctly. This can 
    be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> 
    directives.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2>
<ul>
<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from 
the same server?</a></li>
<li><a href="#ports">Which port does HTTPS use?</a></li>
<li><a href="#httpstest">How do I speak HTTPS manually for testing 
purposes?</a></li>
<li><a href="#hang">Why does the connection hang when I connect to my 
SSL-aware Apache server</a></li>
<li><a href="#refused">Why do I get ``Connection Refused'' errors, when 
trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li>
<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not
available to my CGI &amp; SSI scripts?</a></li>
<li><a href="#relative">How can I switch between HTTP and HTTPS in 
relative hyperlinks?</a></li>
</ul>

<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS 
	from the same server?</a></h3>
    <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to 
    port 80, HTTPS to port 443), so there is no direct conflict between 
    them. You can either run two separate server instances bound to 
    these ports, or use Apache's elegant virtual hosting facility to 
    create two virtual servers over one instance of Apache - one 
    responding to requests on port 80 and speaking HTTP and the other 
    responding to requests on port 443 speaking HTTPS.</p>


<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3>
<p>You can run HTTPS on any port, but the standards specify port 443, which
    is where any HTTPS compliant browser will look by default. You can force
    your browser to look on a different port by specifying it in the URL like
    this (for port 666): <code>https://secure.server.dom:666/</code></p>


<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3>
 <p>While you usually just use</p>
    
    <div class="example"><p><code>$ telnet localhost 80<br />
    GET / HTTP/1.0</code></p></div>

    <p>for simple testing of Apache via HTTP, it's not so easy for
    HTTPS because of the SSL protocol between TCP and HTTP. With the
    help of OpenSSL's <code>s_client</code> command, however, you can 
    do a similar check for HTTPS:</p>
    
    <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br />
    GET / HTTP/1.0</code></p></div>
    
    <p>Before the actual HTTP response you will receive detailed 
    information about the SSL handshake. For a more general command 
    line client which directly understands both HTTP and HTTPS, can 
    perform GET and POST operations, can use a proxy, supports byte 
    ranges, etc. you should have a look at the nifty 
    <a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can 
    check that Apache is responding correctly on ports 80 and 443 as 
    follows:</p>
    
    <div class="example"><p><code>$ curl http://localhost/<br />
    $ curl https://localhost/</code></p></div>


<h3><a name="hang" id="hang">Why does the connection hang when I connect 
    to my SSL-aware Apache server?</a></h3>
<p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
    the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
    This also happens the other way round when you connect via HTTPS to a HTTP
    port, i.e. when you try to use ``<code>https://</code>'' on a server that
    doesn't support SSL (on this port). Make sure you are connecting to a
    virtual server that supports SSL, which is probably the IP associated with
    your hostname, not localhost (127.0.0.1).</p>


<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, 
    when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3>
<p>This can happen for various reasons. The most common mistakes 
    include starting Apache with just <code>apachectl start</code> (or
    <code class="program"><a href="../programs/httpd.html">httpd</a></code>) instead of <code>apachectl startssl</code> (or
    <code>httpd -DSSL</code>). Your configuration may also be incorrect. 
    Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your 
    <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>
    directives. If all else fails, please start afresh, using the default 
    configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>


<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables 
    not available to my CGI &amp; SSI scripts?</a></h3>
<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>''
    enabled for the context of your CGI/SSI requests.</p>


<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative 
    hyperlinks?</a></h3>

<p>Usually, to switch between HTTP and HTTPS, you have to use 
    fully-qualified hyperlinks (because you have to change the URL 
    scheme).  Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can 
    manipulate relative hyperlinks, to achieve the same effect.</p>
    <div class="example"><p><code>
    RewriteEngine on<br />
    RewriteRule   ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]<br />
    RewriteRule   ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1  [R,L]
    </code></p></div>

    <p>This rewrite ruleset lets you use hyperlinks of the form
    <code>&lt;a href="document.html:SSL"&gt;</code>, to switch to HTTPS
    in a relative link.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2>
<ul>
<li><a href="#keyscerts">What are RSA Private Keys, CSRs and 
Certificates?</a></li>
<li><a href="#startup">Is there a difference on startup between
the original Apache and an SSL-aware Apache?</a></li>
<li><a href="#selfcert">How do I create a self-signed SSL 
Certificate for testing purposes?</a></li>
<li><a href="#realcert">How do I create a real SSL Certificate?</a></li>
<li><a href="#ownca">How do I create and use my own Certificate 
Authority (CA)?</a></li>